imx8m secure boot

jonaspersson — Sun, 19 Apr 2020 07:37:56 GMT

Hello,

I'm trying to get secure boot working on an imx8m board but the HAB reports a warning event. I'm _not_ using the multi stage configuration with uboot spl + uboot but only loading a first stage loader into the TCM ram.

SoC: IMX8M quad-lite, 1.0

CST: 3.3.0

imx-mkimage: rel_imx_4.14.98_2.3.0

CSF file:

[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# This selects which key is used for signing: index = IMG(n-1)
File = ""pki/imx6ul_hab_testkeys/SRK_1_2_3_4_table.bin""
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = ""pki/imx6ul_hab_testkeys/CSF1_1_sha256_4096_65537_v3_usr_crt.pem""
[Authenticate CSF]
# Whole line comment
[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
# Key to install
File = ""pki/imx6ul_hab_testkeys/IMG1_1_sha256_4096_65537_v3_usr_crt.pem""

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7E0FC0 0x1a000 0x22000 "build-pico8ml/pb_pad.imx"

HAB event:

I hab_has_no_errors: configuration: 0xf0, state: 0x66
I hab_has_no_errors: result = 105
W hab_has_no_errors: 1, event data:
0xdb 0x0 0x24 0x43 0x69 0x30 0xe1 0x1d 0x0 0x8 0x0 0x2 0x40 0x0 0x4 0xcc 0x55 0x55 0x0 0x3f 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x5

From what I understand this decodes to:

Header:
0xdb 0x0 0x24 0x43
-Size---
Event HAB Version: 4.3

SRCE:
0x69 0x30 0xe1 0x1d
STS RSN CTX ENG
Warning
HAB_ENG_FAIL
HAB_CTX_ENTRY
HAB_ENG_CAAM
0x00 0x08 0x00 0x02
0x40 0x00 0x04 0xcc
0x55 0x55 0x00 0x3f
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x05

What I'm seeing seems very close to something that is reported in this thread:

iMX8M HAB

But no good explanation was provided beyond the suggestion that it might be related to the CAAM RNG.

I've made the following observations:

1) When loading a signed image with 'uuu' it takes approximately six seconds before the core starts executing the code, indicating that it's stuck in the boot rom for that amount of time. Loading the same code but unsigned boots in less then one second.

2) Corrupting the signature or changing the key index to not match the key results in a few HAB errors; which to me indicates that the signature verification might be working because with the proper signature, key and index I'm only seeing the hab warning.

Questions:

1) Can someone from NXP shed some light on what's going on with the HAB event I'm seeing

I've studied and followed the relevant documentation found here:

mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot

The CST manual

Jonas

Re: imx8m secure boot

Rita_Wang — Thu, 14 May 2020 06:32:08 GMT

Yes, you can refer to this mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot

Re: imx8m secure boot

jonaspersson — Thu, 14 May 2020 06:48:17 GMT

Did you even read the post/question?

You're linking to a document thats in the original post, how is that supposed to be helpful?

Jonas

Re: imx8m secure boot

Rita_Wang — Thu, 14 May 2020 07:40:27 GMT

Hi Jonas,

Sorry about the last reply. For i.MX8M secure boot materials are not public, so we can not share you more. If you need you have to sign the NDA with NXP firstly.

Have a nice day

Best Regards

Rita

topic Re: imx8m secure boot in i.MX Processors

imx8m secure boot

Re: imx8m secure boot

Re: imx8m secure boot

Re: imx8m secure boot